Jump to content
Not connected, Your IP: 3.235.101.141

cm0s

Members2
  • Content Count

    303
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    9

Everything posted by cm0s

  1. i'll find someone that reads manuals...
  2. use my setup as example from comcast i have 'dynamic' ip however quite often with ispz they get treated as 'static' it's a serious pain in the butt for them to go rollen around like that from the very end of that cable line into say a bare mim motorola sb6121 it is technically considered 'dynamic' from the isp point of view from there i plug that dynamic isp assigned cable into my bare mim cable modem box and cat 5 to my open source router inside the ddwrt router i have the config set to 'auto' this is at the very top and is so the router knows the isp is actually 'dynamic' this is the only part in the router that anything is set to 'auto' from there i set my local assign ip addys and dns plus shut off all time stuff and dhcp stuff this hardens the local and actually keeps my isp's config basically stopped at the router these things are a dime a dozen you could even go a step further and toss in another flashed router in between and do a bunch of other things but yes i think rolling without dhcp purren on anything and haven full control of yer network is just adding to the 'layer' of security the down side is well yes it is easier to misconfig sumthin, i hammer junk all time but itz how ya get puppy treats and well they are just good for ya yep, static is in my opinion fda approved
  3. you probably saw this but just in case: http://eleccelerator.com/alternative-way-to-dual-boot-truecrypted-windows-and-fully-encrypted-linux/ done duals but not a windows full encryption so curious on that myself, please post up the fix you find if you would, plus might help others to know that also i don't dual any more, i just wreck my boxes too often, 'tweaker' in me, i fix it till it's brokeD as usual, if you have that 'bug' yourself as i call it, well, do windows a favor and move it to its own box that way you got something stable which once configd right, 7 is solid day after day cheerz
  4. fyi: i think the 'review bandit' took one of my bananas cheerz
  5. ref: https://airvpn.org/topic/15769-how-to-harden-firefox-extreme-edition/ sum tweax: /* user.js tweax edited 090216 */ user_pref("browser.slowStartup.notificationDisabled", true); user_pref("browser.slowStartup.maxSamples", 0); user_pref("browser.slowStartup.samples", 0); user_pref("browser.rights.3.shown", true); user_pref("browser.startup.homepage_override.mstone", "ignore"); user_pref("startup.homepage_welcome_url", ""); user_pref("startup.homepage_override_url", ""); user_pref("browser.feeds.showFirstRunUI", false); user_pref("browser.shell.checkDefaultBrowser", false); user_pref("geo.enabled", false); user_pref("geo.wifi.uri", "http://127.0.0.1"); user_pref("browser.search.geoip.url", ""); user_pref("devtools.remote.wifi.scan", false); user_pref("devtools.remote.wifi.visible", false); user_pref("browser.search.countryCode", "US"); user_pref("browser.search.region", "US"); user_pref("app.update.enabled", false); user_pref("app.update.auto", false); user_pref("browser.search.update", false); user_pref("extensions.update.enabled", false); user_pref("extensions.update.autoUpdateDefault", false); user_pref("extensions.getAddons.cache.enabled", false); user_pref("lightweightThemes.update.enabled", false); user_pref("plugins.update.notifyUser", false); user_pref("plugins.hide_infobar_for_outdated_plugin", false); user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); user_pref("dom.ipc.plugins.reportCrashURL", false); user_pref("extensions.webservice.discoverURL", "http://127.0.0.1"); user_pref("toolkit.telemetry.unified", false); user_pref("toolkit.telemetry.enabled", false); user_pref("toolkit.telemetry.server", ""); user_pref("toolkit.telemetry.archive.enabled", false); user_pref("datareporting.healthreport.uploadEnabled", false); user_pref("datareporting.healthreport.documentServerURI", ""); user_pref("datareporting.healthreport.service.enabled", false); user_pref("datareporting.policy.dataSubmissionEnabled", false); user_pref("experiments.enabled", false); user_pref("experiments.manifest.uri", ""); user_pref("experiments.supported", false); user_pref("experiments.activeExperiment", false); user_pref("network.allow-experiments", false); user_pref("breakpad.reportURL", ""); user_pref("browser.newtab.preload", false); user_pref("browser.newtabpage.directory.ping", ""); user_pref("browser.newtabpage.directory.source", ""); user_pref("browser.newtabpage.enabled", false); user_pref("browser.newtabpage.enhanced", false); user_pref("browser.newtabpage.introShown", true); user_pref("browser.newtabpage.enabled", false); user_pref("browser.newtab.url", "about:blank"); user_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1"); user_pref("browser.selfsupport.url", ""); user_pref("loop.enabled", false); user_pref("browser.pocket.enabled", false); user_pref("reader.parse-on-load.enabled", false); user_pref("browser.pocket.api", ""); user_pref("browser.pocket.site", ""); user_pref("social.whitelist", ""); user_pref("social.toast-notifications.enabled", false); user_pref("social.shareDirectory", ""); user_pref("social.remote-install.enabled", false); user_pref("social.directories", ""); user_pref("social.share.activationPanelEnabled", false); user_pref("browser.safebrowsing.enabled", false); user_pref("browser.safebrowsing.malware.enabled", false); user_pref("browser.safebrowsing.downloads.enabled", false); user_pref("browser.safebrowsing.downloads.remote.enabled", false); user_pref("browser.safebrowsing.appRepURL", ""); user_pref("browser.safebrowsing.gethashURL", ""); user_pref("browser.safebrowsing.malware.reportURL", ""); user_pref("browser.safebrowsing.reportErrorURL", ""); user_pref("browser.safebrowsing.reportGenericURL", ""); user_pref("browser.safebrowsing.reportMalwareErrorURL", ""); user_pref("browser.safebrowsing.reportMalwareURL", ""); user_pref("browser.safebrowsing.reportPhishURL", ""); user_pref("browser.safebrowsing.reportURL", ""); user_pref("browser.safebrowsing.updateURL", ""); user_pref("privacy.trackingprotection.enabled", false); user_pref("browser.polaris.enabled", false); user_pref("browser.trackingprotection.gethashURL", ""); user_pref("browser.trackingprotection.getupdateURL", ""); user_pref("privacy.trackingprotection.pbmode.enabled", false); user_pref("network.IDN_show_punycode", true); user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false); user_pref("network.stricttransportsecurity.preloadlist", true); user_pref("network.prefetch-next", false); user_pref("network.dns.disablePrefetch", true); user_pref("network.dns.disablePrefetchFromHTTPS", true); user_pref("network.predictor.enabled", false); user_pref("browser.search.suggest.enabled", false); user_pref("network.http.speculative-parallel-limit", 0); user_pref("browser.send_pings", false); user_pref("browser.send_pings.require_same_host", true); user_pref("keyword.enabled", false); user_pref("browser.fixup.alternate.enabled", false); user_pref("browser.urlbar.maxRichResults", 0); user_pref("browser.urlbar.trimURLs", false); user_pref("browser.urlbar.autoFill", false); user_pref("browser.urlbar.autoFill.typed", false); user_pref("browser.urlbar.autocomplete.enabled", false); user_pref("browser.history_expire_days", 0); user_pref("browser.history_expire_sites", 0); user_pref("browser.history_expire_visits", 0); user_pref("browser.urlbar.suggest.history", false); user_pref("browser.sessionhistory.max_entries", 4); user_pref("layout.css.visited_links_enabled", false); user_pref("browser.urlbar.filter.javascript", true); user_pref("browser.formfill. enable", false); user_pref("browser.formfill.saveHttpsForms", false); user_pref("signon.autofillForms", false); user_pref("security.ask_for_password", 0); user_pref("signon.rememberSignons", false); user_pref("browser.cache.disk.enable", false); user_pref("browser.cache.disk_cache_ssl", false); user_pref("browser.cache.memory.enable", false); user_pref("browser.cache.offline.enable", false); user_pref("browser.sessionstore.privacy_level", 2); user_pref("browser.sessionstore.privacy_level_deferred", 2); user_pref("browser.sessionstore.postdata", 0); user_pref("browser.sessionstore.enabled", false); user_pref("security.ssl.warn_missing_rfc5746", 1); user_pref("security.tls.version.min", 1); user_pref("security.tls.version.max", 3); user_pref("security.warn_entering_weak", true); user_pref("security.tls.unrestricted_rc4_fallback", false); user_pref("security.tls.insecure_fallback_hosts.use_static_list", false); user_pref("security.ssl.enable_ocsp_stapling", false); user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); user_pref("security.OCSP.require", false); user_pref("security.OCSP.enabled", 0); user_pref("security.cert_pinning.enforcement_level", 2); user_pref("security.ssl.errorReporting.automatic", false); user_pref("security.ssl3.rsa_null_sha", false); user_pref("security.ssl3.rsa_null_md5", false); user_pref("security.ssl3.ecdhe_rsa_null_sha", false); user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false); user_pref("security.ssl3.ecdh_rsa_null_sha", false); user_pref("security.ssl3.ecdh_ecdsa_null_sha", false); user_pref("security.ssl3.rsa_seed_sha", false); user_pref("security.ssl3.rsa_rc4_40_md5", false); user_pref("security.ssl3.rsa_rc2_40_md5", false); user_pref("security.ssl3.rsa_1024_rc4_56_sha", false); user_pref("security.ssl3.rsa_camellia_128_sha", false); user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false); user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false); user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false); user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false); user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false); user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); user_pref("security.ssl3.rsa_rc4_128_md5", false); user_pref("security.ssl3.rsa_rc4_128_sha", false); user_pref("security.tls.unrestricted_rc4_fallback", false); user_pref("security.ssl3.dhe_dss_des_ede3_sha", false); user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false); user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false); user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false); user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false); user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false); user_pref("security.ssl3.rsa_des_ede3_sha", false); user_pref("security.ssl3.rsa_fips_des_ede3_sha", false); user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false); user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false); user_pref("security.ssl3.rsa_camellia_256_sha", false); user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); user_pref("security.ssl3.dhe_rsa_camellia_256_sha", false); user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); user_pref("security.ssl3.dhe_dss_aes_128_sha", false); user_pref("security.ssl3.dhe_dss_aes_256_sha", false); user_pref("security.ssl3.dhe_dss_camellia_128_sha", false); user_pref("security.ssl3.dhe_dss_camellia_256_sha", false); user_pref("security.ssl3.rsa_aes_256_sha", true); user_pref("security.ssl3.rsa_aes_128_sha", true); user_pref("browser.display.use_document_fonts", 0); user_pref("gfx.downloadable_fonts.enabled", false); user_pref("gfx.font_rendering.opentype_svg.enabled", false); user_pref("network.http.sendSecureXSiteReferrer", false); user_pref("privacy.donottrackheader.enabled", false); user_pref("privacy.donottrackheader.value", 1); user_pref("network.http.sendRefererHeader",0); user_pref("network.http.referer.spoofSource", false); user_pref("plugin.default.state", 0); user_pref("plugin.defaultXpi.state", 0); user_pref("plugins.click_to_play", true); user_pref("plugin.sessionPermissionNow.intervalinminutes", 0); user_pref("plugin.state.flash", 0); user_pref("pfs.datasource.url", ""); user_pref("plugins.enumerable_names", ""); user_pref("security.xpconnect.plugin.unrestricted", false); user_pref("plugin.scan.plid.all", false); user_pref("plugin.scan.Acrobat", 99999); user_pref("plugin.scan.Quicktime", 99999); user_pref("plugin.scan.WindowsMediaPlayer", 99999); user_pref("media.autoplay.enabled", false); user_pref("media.gmp-provider.enabled", false); user_pref("media.peerconnection.enabled", false); user_pref("media.peerconnection.use_document_iceservers", false); user_pref("media.peerconnection.identity.enabled", false); user_pref("media.peerconnection.video.enabled", false); user_pref("media.peerconnection.identity.timeout", 1); user_pref("media.navigator.permission.disabled", true); user_pref("media.navigator.enabled", false); user_pref("media.navigator.permission.disabled", true); user_pref("media.gmp-gmpopenh264.enabled", false); user_pref("media.gmp-manager.url", ""); user_pref("media.gmp.trial-create.enabled", false); user_pref("browser.eme.ui.enabled", false); user_pref("media.gmp-eme-adobe.enabled", false); user_pref("media.eme.enabled", false); user_pref("media.eme.apiVisible", false); user_pref("media.navigator.enabled", false); user_pref("webgl.disabled", true); user_pref("pdfjs.enableWebGL", false); user_pref("webgl.min_capability_mode", true); user_pref("webgl.disable-extensions", true); user_pref("media.video_stats.enabled", false); user_pref("media.webspeech.recognition.enable", false); user_pref("media.getusermedia.screensharing.enabled", false); user_pref("media.getusermedia.screensharing.allowed_domains", ""); user_pref("camera.control.autofocus_moving_callback.enabled", false); user_pref("camera.control.face_detection.enabled", false); user_pref("dom.event.contextmenu.enabled", false); user_pref("dom.webnotifications.enabled", false); user_pref("dom.disable_window_open_feature.location", true); user_pref("dom.disable_window_open_feature.menubar", true); user_pref("dom.disable_window_open_feature.resizable", true); user_pref("dom.disable_window_open_feature.scrollbars", true); user_pref("dom.disable_window_open_feature.status", true); user_pref("dom.disable_window_open_feature.toolbar", true); user_pref("dom.disable_window_flip", true); user_pref("dom.disable_window_move_resize", true); user_pref("dom.disable_window_open_feature.close", true); user_pref("dom.disable_window_open_feature.minimizable", true); user_pref("dom.disable_window_open_feature.personalbar", true); user_pref("dom.disable_window_open_feature.titlebar", true); user_pref("dom.disable_window_status_change", true); user_pref("dom.allow_scripts_to_close_windows", false); user_pref("javascript.options.methodjit.chrome", false); user_pref("javascript.options.methodjit.content", false); user_pref("javascript.options.asmjs", false); user_pref("dom.storage.enabled", false); user_pref("dom.event.clipboardevents.enabled", false); user_pref("dom.indexedDB.enabled", false); user_pref("dom.telephony.enabled", false); user_pref("dom.gamepad.enabled", false); user_pref("dom.battery.enabled", false); user_pref("dom.network.enabled", false); user_pref("dom.netinfo.enabled", false); user_pref("dom.enable_user_timing", false); user_pref("dom.enable_resource_timing", false); user_pref("dom.enable_performance", false); user_pref("dom.vr.enabled", false); user_pref("dom.vibrator.enabled", false); user_pref("dom.popup_maximum", 3); user_pref("dom.idle-observers-api.enabled", false); user_pref("dom.workers.sharedWorkers.enabled", false); user_pref("full-screen-api.enabled", false); user_pref("beacon.enabled", false); user_pref("browser.download.folderList", 2); user_pref("browser.download.useDownloadDir", false); user_pref("browser.helperApps.deleteTempFileOnExit", true); user_pref("browser.download.manager.addToRecentDocs", false); user_pref("browser.download.manager.retention", 0); user_pref("browser.download.hide_plugins_without_extensions", false); user_pref("browser.pagethumbnails.capturing_disabled", true); user_pref("network.jar.open-unsafe-types", false); user_pref("security.mixed_content.block_active_content", true); user_pref("security.mixed_content.block_display_content", true); user_pref("security.csp.enable", true); user_pref("security.csp.experimentalEnabled", true); user_pref("devtools.webide.autoinstallADBHelper", false); user_pref("devtools.webide.autoinstallFxdtAdapters", false); user_pref("devtools.debugger.remote-enabled", false); user_pref("devtools.webide.enabled", false); user_pref("security.fileuri.strict_origin_policy", true); user_pref("security.sri.enable", true); user_pref("browser.casting.enabled", false); user_pref("gfx.layerscope.enabled", false); user_pref("device.sensors.enabled", false); user_pref("network.http.spdy.enabled", false); user_pref("network.http.spdy.enabled.v3-1", false); user_pref("network.http.spdy.enabled.http2", false); user_pref("network.http.spdy.enabled.http2draft", false); user_pref("pdfjs.disabled", true); user_pref("network.proxy.socks_remote_dns", true); user_pref("privacy.clearOnShutdown.cache", true); user_pref("privacy.clearOnShutdown.cookies", true); user_pref("privacy.clearOnShutdown.downloads", true); user_pref("privacy.clearOnShutdown.formdata", true); user_pref("privacy.clearOnShutdown.history", true); user_pref("privacy.clearOnShutdown.offlineApps", true); user_pref("privacy.clearOnShutdown.passwords", true); user_pref("privacy.clearOnShutdown.sessions", true); user_pref("privacy.clearOnShutdown.siteSettings", true); user_pref("privacy.cpd.cache", true); user_pref("privacy.cpd.cookies", true); user_pref("privacy.cpd.downloads", true); user_pref("privacy.cpd.formdata", true); user_pref("privacy.cpd.history", true); user_pref("privacy.cpd.offlineApps", true); user_pref("privacy.cpd.passwords", true); user_pref("privacy.cpd.sessions", true); user_pref("privacy.cpd.siteSettings", true); user_pref("general.warnOnAboutConfig", false); user_pref("browser.tabs.warnOnClose", false); user_pref("browser.tabs.warnOnCloseOtherTabs", false); user_pref("browser.tabs.warnOnOpen", false); user_pref("browser.tabs.closeWindowWithLastTab", false); user_pref("browser.search.showOneOffButtons", false); user_pref("browser.backspace_action", 2); user_pref("clipboard.autocopy", false); user_pref("media.fragmented-mp4.enabled", true); user_pref("media.fragmented-mp4.exposed", true); user_pref("media.fragmented-mp4.ffmpeg.enabled", true); user_pref("media.fragmented-mp4.gmp.enabled", true); user_pref("media.fragmented-mp4.use-blank-decoder", false); user_pref("xpinstall.whitelist.add", ""); user_pref("xpinstall.whitelist.add.180", ""); user_pref("xpinstall.whitelist.required", false); user_pref("capability.policy.allowclipboard.Clipboard.cutcopy", "allAccess"); user_pref("capability.policy.allowclipboard.Clipboard.paste", "allAccess"); user_pref("extensions.enabledScopes", 5); user_pref("plugin.scan.4xPluginFolder", false); user_pref("plugin.scan.Acrobat", "100"); user_pref("plugin.scan.Quicktime", "100"); user_pref("plugin.scan.WindowsMediaPlayer", "100"); user_pref("plugin.scan.plid.all", false); /* 091616-end-of-tweax */
  6. i'd keep the router doin just that, routing and run each device connecting to it static and on itz own vpn server
  7. i'm not a fan of running vpn from a router, it is kinda nyce at least for me to have different boxes connected to different servers plus the redundancy of that config, just keep testing and hope all goes well
  8. cm0s

    FBI Honeypot?

    security is layers also anonymity and encryption can be thought of like this: you can have anonymity without the use of encryption you can have anonymity with the use of encryption encryption tho really has nothing to do with anonymity harden yer local and the bad human habits and aim at whatever yer threat model is yer rollen against
  9. i started to read it then saw a bunch of 'legal' words in there i'm gonna assume it's probably not good for the consumers either way hope things work out thank you for the info, sincerely cheerz
  10. if you got blocked by facebook you just had an awesum thing happen to ya
  11. once in a while a server gets blocked usually i just hop to another one check back day or two often it gets restored
  12. yer good in my book man and wish you and your loved ones kind regards/respect sincerely, splif aka cm0s aka puppytreat_bandit
  13. hope this helps: https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/
  14. lots of ways to get 'around' that usually server hopping and if ya want somethin really clean just put a box up online and route through it that way ya got a real box up there anyway do other things with it these guys are nyce: https://pacmanvps.com/
  15. yeah network mangler does that i never got used to it, at all just set your local to static and get a opensource router or flash an old one ya got layen around shut off yer dhcp server on that this does a couple of things for ya: first, you now have full control over your local, meaning your isp STOPS at the router that right there gives me a warm fuzzy feeling second you can do this for all the things conneting to your local, meaning ya don't have boxes and phones running junk they don't need that hey, lets face it, first thing they tell ya at bandcamp: don't talk about bandcamp well i mean they say things too like 'don't lead with your chin' or sumthin like that the less junk i got purren and runnen the less for me to break is my point before i have had 30 cups of coffee ok that iptalbes example: i'm not a guru at this so if ya see sumthin wrong or can be improved on etc yeah lemme know please.... this script is a server config comment out what ya don't want mod block ipz or botz with your stuff # 051317_edit geo blocking/spam filter ge0z/country codez # ----- # server config # # to reconnect... # iptables -F # iptables -X # iptables -P INPUT ACCEPT # iptables -P OUTPUT ACCEPT # test firewall with nmap... # nmap -v -f/-sX/-sN ip_addy # check status # iptables -L -n -v # for arch: pacman -S ipset/modprobe -v ip_set | ipset -n list # if non-vpn comment out '# -->' section # to start scratch w/geo, -X,-F tables, ipset destroy geoz, accpet traffic # check with ipset list, rm the wget file also # ipset save > /your/directory/blacklist.save | ipset restore < /your/directory/blacklist.save echo "-> waking wald0 up..." # echo "-> remove rules from chains..." iptables -F iptables -t nat -F iptables -t mangle -F # echo "-> remove user definez..." iptables -X iptables -t nat -X iptables -t mangle -X # echo "-> droppen shit..." iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # # input/output/vpn echo "-> setten up the flow..." iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # connectionz # --> # comment out if not vpn iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #communicate with any DHCP server/router iptables -A INPUT -s 255.255.255.255 -j ACCEPT #communicate with any DHCP server/router iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #communicate within lan iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT iptables -A FORWARD -i enp2s1 -o tun0 -j ACCEPT iptables -A FORWARD -i tun0 -o enp2s1 -j ACCEPT # make sure enp2s2/tun0 can communicate iptables -t nat -A PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to 10.5.0.1 #use vpn dns iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to 10.5.0.1 # use vpn dns iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE # map tun0 outgoing IP addy, iptables -A OUTPUT -o enp2s1 ! -d 127.0.0.1 -p tcp --dport 1413 -j DROP # if traffic isn't vpn # --> # iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT # ssh, net, ssl # # blocking spam... sleep 2 ipset -N blacklist hash:net sleep 2 # change directory listing here for server IP_TMP=/yourdirectory/ip.tmp IP_BLACKLIST=/yourdirectory/ip-blacklist.conf IP_BLACKLIST_TMP=/yourdirectory/ip-blacklist.tmp list="chinese nigerian russian lacnic exploited-servers" BLACKLISTS=( "http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" # TOR Exit Nodes "http://www.maxmind.com/en/anonymous_proxies" # MaxMind GeoIP Anonymous Proxies "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List "http://blocklist.greensnow.co/greensnow.txt" # greenz ETz rbn-ips replacement "http://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP) "http://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List "http://www.autoshun.org/files/shunlist.csv" # Autoshun Shun List "http://rules.emergingthreats.net/blockrules/compromised-ips.txt" # bad ipz by emergingz "https://zeustracker.abuse.ch/blocklist.php?download=badips" # mohrr bad ipz "https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist" # mohrrz ipz "http://malc0de.com/bl/IP_Blacklist.txt" # malc0dz recentz 2016 "http://lists.blocklist.de/lists/all.txt" # blocklist.de attackers ) for i in "${BLACKLISTS[@]}" do curl "$i" > $IP_TMP grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLACKLIST_TMP done for i in `echo $list`; do # Download if needed change directory for server wget --quiet /yourdirectory/ http://www.wizcrafts.net/$i-iptables-blocklist.html # Grep out all but ip blocks cat $i-iptables-blocklist.html | grep -v \< | grep -v \: | grep -v \; | grep -v \# | grep [0-9] > $i.txt # Consolidate blocks into master list cat $i.txt >> $IP_BLACKLIST_TMP done # sort $IP_BLACKLIST_TMP -n | uniq > $IP_BLACKLIST rm $IP_BLACKLIST_TMP wc -l $IP_BLACKLIST # ipset flush blacklist grep -E -v "^#|^$" $IP_BLACKLIST | while IFS= read -r ip do ipset add blacklist $ip done # sleep 2 # iptables -A INPUT -m set --match-set blacklist src -j DROP sleep 2 # # snag sum zonez... sleep 2 ipset -N geoz1 hash:net sleep 2 wget -O /yourdirectory/spamz1/1.txt http://www.ipdeny.com/ipblocks/data/countries/{sa,so,sv,sy,ua,mn,bo,cz,pl}.zone sleep 1 wget -O /yourdirectory/spamz1/2.txt http://www.ipdeny.com/ipblocks/data/countries/{va,za,tw,zm,zw,is,jp,ru,uz}.zone sleep 1 wget -O /yourdirectory/spamz1/3.txt http://www.ipdeny.com/ipblocks/data/countries/{se,au,ge,pe,ug,md,ca,by,fr}.zone sleep 1 # add each IP address from the downloaded list into the ipset-db'geoz1' for i in $(cat /yourdirectory/spamz1/*.txt); do ipset -A geoz1 $i; done # for server sleep 2 # ipset -N geoz2 hash:net sleep 2 wget -O /yourdirectory/spamz2/4.txt http://www.ipdeny.com/ipblocks/data/countries/{bg,ba,cn,iq,ir,it,cf,es,il}.zone sleep 1 wget -O /yourdirectory/spamz2/5.txt http://www.ipdeny.com/ipblocks/data/countries/{hk,kr,kp,kw,kz,in,br,dz,be}.zone sleep 1 wget -O /yourdirectory/spamz2/6.txt http://www.ipdeny.com/ipblocks/data/countries/{ly,mx,pk,ps,rw,ar,az,de,dm}.zone # add each IP address from the downloaded list into the ipset-db'geoz2' for i in $(cat /yourdirectory/spamz2/*.txt); do ipset -A geoz2 $i; done # for server sleep 2 # blocking geoz... echo "-> blocking country codz..." iptables -I INPUT -m set --match-set geoz1 src -j DROP iptables -I INPUT -m set --match-set geoz2 src -j DROP iptables -I OUTPUT -m set --match-set geoz1 dst -j DROP iptables -I OUTPUT -m set --match-set geoz2 dst -j DROP # # blocking botz... echo "-> droppen sum botz/scanz..." iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m string --string "NetcraftSurveyAgent" --algo bm --to 1000 -j DROP iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m string --string "w3af.sourceforge.net" --algo bm --to 1000 -j DROP iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m string --string "nikto" --algo bm --to 1000 -j DROP iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m string --string "sqlmap" --algo bm --to 1000 -j DROP iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m string --string "Openvas" --algo bm --to 1000 -j DROP iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m string --string "Nmap" --algo bm --to 1000 -j DROP iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m string --string "ZmEu" --algo bm --to 1000 -j DROP # # blocking mohr spam... echo "-> droppen sum spam..." iptables -A INPUT -p tcp -s 116.0.0.0/8 -j DROP # asia spam'ish' iptables -A INPUT -p tcp -s 58.17.30.0/23 -j DROP # China -ShangHai Shelian commpany iptables -A INPUT -p tcp -s 59.69.128.0/19 -j DROP # China -Nanyang Institute Tech. iptables -A INPUT -p tcp -s 61.164.145.0/24 -j DROP # China -Wenzhou Telecom iptables -A INPUT -p tcp -s 81.196.20.0/23 -j DROP # Romania -RCS & RDS S.A. iptables -A INPUT -p tcp -s 82.213.64.0/19 -j DROP # Italy -MIPIACE.COM SPA iptables -A INPUT -p tcp -s 111.0.0.0/10 -j DROP # China -Mobile Comm Corp iptables -A INPUT -p tcp -s 125.23.218.0/24 -j DROP # India -Bharti Tele-Ventures iptables -A INPUT -p tcp -s 183.129.128.0/17 -j DROP # China -Zhejiang Telecom iptables -A INPUT -p tcp -s 200.105.224.0/20 -j DROP # Ecquadore -PUNTONET S.A. iptables -A INPUT -p tcp -s 203.99.130.0/23 -j DROP # Indonisia -PT Varnion Tech Semesta iptables -A INPUT -p tcp -s 210.83.84.64/26 -j DROP # China -China Unicom CncNet iptables -A INPUT -p tcp -s 222.96.0.0/19 -j DROP # Korea -Korea Telcom iptables -A INPUT -p tcp -s 131.178.0.0/16 -j DROP # Mexico spam'ish' # echo "-> droppen spoofz..." iptables -A INPUT -s 10.0.0.0/8 -j DROP iptables -A INPUT -s 169.254.0.0/16 -j DROP iptables -A INPUT -s 172.16.0.0/12 -j DROP iptables -A INPUT -s 127.0.0.0/8 -j DROP iptables -A INPUT -s 224.0.0.0/4 -j DROP iptables -A INPUT -d 224.0.0.0/4 -j DROP iptables -A INPUT -s 240.0.0.0/5 -j DROP iptables -A INPUT -d 240.0.0.0/5 -j DROP iptables -A INPUT -s 0.0.0.0/8 -j DROP iptables -A INPUT -d 0.0.0.0/8 -j DROP iptables -A INPUT -d 239.255.255.0/24 -j DROP iptables -A INPUT -d 255.255.255.255 -j DROP # echo "-> blocken icbmzzz..." iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # echo "-> drop off the invaldz..." iptables -A INPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP # echo "-> limit the rst flow..." iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT # echo "-> bypass the scanners..." iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP # echo "-> block some brutez..." iptables -N BRUTEFORCE iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j BRUTEFORCE iptables -A BRUTEFORCE -m recent --set iptables -A BRUTEFORCE -m recent --update --seconds 3600 --hitcount 6 -j DROP # echo "-> avoid broadcasts..." iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_NET -j DROP # echo "-> drop the fragging..." iptables -A INPUT -f -j DROP iptables -A INPUT -p tcp --dport 113 -m state --state NEW -j REJECT --reject-with tcp-reset iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP # echo "-> not into X-Mas..." iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # echo "-> null-la-bye..." iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # echo "-> dropn sum fellaz..." # uncomment to block ipz: iptables -A INPUT -s 239.192.152.143,181.228.206.138,51.254.213.15,82.221.105.7,106.219.59.202 -j DROP iptables -A INPUT -s 122.162.123.217,43.246.249.217,177.83.170.134,37.214.90.130,82.221.105.7 -j DROP iptables -A INPUT -s 208.52.154.240,213.230.72.206,107.20.135.43,197.221.129.138,123.243.167.240 -j DROP iptables -A INPUT -s 5.133.161.202,77.81.6.234,37.153.173.10,190.117.116.177,197.221.129.138 -j DROP iptables -A INPUT -s 217.19.216.243,212.56.214.203,155.94.254.143,67.21.104.221,50.194.147.69 -j DROP iptables -A INPUT -s 87.252.229.9,5.135.151.181,213.230.73.71,104.238.111.88,185.25.151.159 -j DROP iptables -A INPUT -s 141.212.122.129,91.196.50.33,146.185.239.100,198.20.87.98,185.106.92.113 -j DROP iptables -A INPUT -s 109.205.249.84,98.190.250.74,5.141.215.112,193.242.203.131,87.66.122.232 -j DROP iptables -A INPUT -s 104.1.209.192,62.183.125.123,178.218.202.119,207.232.21.133 -j DROP # sleep 2 # echo "-> ignore bad errerz..." # Ignore bad error messages for f in /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses; do echo 1 > $f done # echo "-> disable response to broadkastz..." # Disable response to broadcasts for f in /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; do echo 1 > $f done # echo "-> downen source routed paketz..." # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # echo "-> enabling syn cookie protekshun..." # Enable TCP SYN Cookie Protection for f in /proc/sys/net/ipv4/tcp_syncookies; do echo 1 > $f done # echo "-> disabling redirekz..." # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # echo "-> not sending redirekz messuhguz..." # Don't send Redirect Messages for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # echo "-> droppen spoof pakz..." # Drop Spoofed Packets coming in for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # echo "-> saven the setz Chewy..." iptables-save # # now that is waaaayyyyy over kill so take out the stuff ya don't want cheerz
  16. set your local to static shut off any dhcp server etc on your router the one device most folks don't config is actually mohr important than the boxes themselves and that is the router what you connect to and through is sum pretty impohtunt facterd
×
×
  • Create New...